Skip to content

feat: Add trust boundary support for service accounts and impersonation. #1778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: Add trust boundary support for service accounts and impersonation. #1778

wants to merge 7 commits into from

Conversation

nbayati
Copy link

@nbayati nbayati commented Jun 3, 2025

@nbayati nbayati requested review from a team as code owners June 3, 2025 21:50
@nbayati nbayati requested review from lsirac and sai-sunder-s June 4, 2025 20:27
@nbayati nbayati changed the title Add trust boundary support for service accounts and impersonation. feat: Add trust boundary support for service accounts and impersonation. Jun 6, 2025
sai-sunder-s
sai-sunder-s requested changes Jun 7, 2025
View reviewed changes
google/auth/credentials.py Outdated
raise NotImplementedError("_build_trust_boundary_lookup_url must be implemented")

@staticmethod
def _parse_trust_boundary(trust_boundary_string: str):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where is this used?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this. It's no longer used so I went ahead and removed it.

@nbayati nbayati requested a review from sai-sunder-s June 11, 2025 19:51
lsirac
lsirac reviewed Jun 23, 2025
View reviewed changes
Copy link
Contributor

@lsirac lsirac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you handle feature gating the same way we do for pluggable auth? We should align this across all languages.

Also, please add the following test cases:

  • Please add a test scenario for both service_account.Credentials and impersonated_credentials.Credentials where a valid (non-noop) trust boundary is successfully fetched and cached on the first refresh. A second refresh should then mock a RefreshError from the lookup endpoint. The test should assert that no exception is raised and that the initially cached trust boundary data is preserved on the credentials object. This would validate the fallback logic in _refresh_trust_boundary.

  • Include explicit tests for both service_account.Credentials in tests/oauth2/test_service_account.py and impersonated_credentials.Credentials in tests/test_impersonated_credentials.py to confirm that the trust boundary lookup is skipped when the credential is instantiated with a non-default universe_domain. This ensures the check is correctly triggered by the concrete classes.

sai-sunder-s
sai-sunder-s reviewed Jun 24, 2025
View reviewed changes
google/auth/compute_engine/credentials.py

request = google_auth_requests.Request()
try:
info = _metadata.get_service_account_info(request, "default")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@harkamaljot you had worked on optimizing this call somewhere else in the code recently. Can you PTAL at this method and see if there are any issues in doing this call or something can be optimized.

google/auth/compute_engine/credentials.py
default_scopes=self._default_scopes,
trust_boundary=trust_boundary,
)
creds._universe_domain = self._universe_domain
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not initialize universe domain through the creds init

google/auth/credentials.py
Comment on lines +314 to +315
self._trust_boundary["encodedLocations"]
== NO_OP_TRUST_BOUNDARY_ENCODED_LOCATIONS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can use _has_no_op_trust_boundary here?

@nbayati nbayati requested a review from lsirac June 24, 2025 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sai-sunder-s sai-sunder-s sai-sunder-s requested changes

@lsirac lsirac Awaiting requested review from lsirac

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nbayati @sai-sunder-s @lsirac